Wi-Fi Roaming Services

XCWP - XIRRUS ADVANCED TECHNICAL TRAINING

2013 XIRRUS :: All Rights Reserved

AGENDA

Description
Roaming Modes - Xirrus
Client Operation
Use and Configuration of Xirrus Roaming Services
Vendor Interoperability

ROAMING

Customer Complains that

clients are doing

unnecessary roaming
What do you do?

DESCRIPTION
Roaming
- The act of a client moving from radio to radio on same SSID
- Goal is to allow connected mobility for clients.

Additional Info:
- 2 Types of Roaming

Seamless roaming (persistence) - maintains connection/session

Nomadic roaming same SSID available across environment
- Roaming decisions are made by the client (today)
- The two main factors that define roaming

Decision to roam when to roam (vendor specific algorithms)

Time to roam How long traffic flow is impacted

DESCRIPTION - STANDARDS
The IEEE 802.11 standard continues to evolve to improve interoperability

802.11f Inter-Access

Point Protocol - Withdrawn

802.11i

(Supported)
IEEE 802.11i is an amendment to the original IEEE 802.11and specifies security
mechanisms for wireless networks. It includes improvements including, but not limited
to WPA2, 802,1x and sharing of security keys (PMK caching)

802.11k

(Support for 2 of 34 elements [this is the norm])

802.11k is designed to increase roaming efficiency
Neighbor Reports - Beacons include lists of channels of nearby APs. This
reduces client scan times, results in reduced roam times & increased battery life.
AP Channel Reports When requested by clients, an APs provides information
on nearby APs. Information includes BSSID, Channel Numbers & Capabilities.

802.11r

(Not currently support officially, most functions provided by Fast Roaming)

IEEE 802.11r (fast Roaming) is an amendment to the IEEE 802.11 designed to
standardized the transitions from one AP to another, in under 50 millisecond.
Most of the process is already covered in 802.11i and 802.1x
Primary advantage is vendor interoperability

2013 XIRRUS :: All Rights Reserved

XIRRUS ROAMING MODES

Layer 2

Layer 2 roaming is fully defined within the 802.11(i) standard and allows for
seamless/ secure roaming of 802.11 clients without requiring any additional
configuration.

Layer 3

Some customer want to define their network such that if a user roams
between APs connected to different domains (VLAN/Subnet), clients will
maintain the same IP address. Typically to support real-time data traffic,
such as voice and/or video

Roaming Assist

Some smart phones/tablets stay connected to a radio with poor signal

quality, even when theres a radio with better signal strength within range.
Roaming assist helps clients roam to Arrays that will give them higher quality
connections.

2013 XIRRUS :: All Rights Reserved

CLIENT OPERATIONS
Associated clients continue to seek stronger radios on the same SSID,
roaming to the new radio when defined threshold(s) are met.

Operation
Per 802.11 - Clients decide when to roam, APs do not tell them (*proprietary solutions)
Roaming decisions are normally based on the RSSI (Received Signal Strength Indicator)
difference between current association and that of nearby AP/radio.
Roaming based on a stronger RSSI is not always the best choice. RF band (2.4/5Ghz),
mode (11a/b/g/n/ac) or traffic load may offset any signal strength value.

Configuration
Client Roaming Settings
Aggressiveness - Defines how aggressively client will
try to roam based on RSSI values.
Capabilities vary consider ability
Proprietary Solutions
Cisco Compatible Extensions (CCX), etc.
Standards Development
802.11k and 802.11r are designed to provide
improved/standards based roaming as well as
allow infrastructure (APs) to control client roaming
2013 XIRRUS :: All Rights Reserved

XIRRUS ROAMING ASSIST

Operation
When enabled, the Array/AP compares client RSSI values and neighboring Array/AP RSSI
values and assists the device by de-authenticating it when certain parameters are met.
In this way it should associate to the stronger Array/AP

Array Configuration Parameters

Configured in IAP/Roaming Assist section
Enable off by default
Device Type identifies device Type/Class Array will Assist
Roaming Threshold RSSI difference that triggers a deauth.
Minimum Data Rate Client data rate drop (Tx or Rx) that triggers deauth.
Backoff Period - time station allowed to stay connected before another deauth, default
is 120 seconds. Prevents client from repeatedly being de-authenticated.
Monitor radio NOT required, but will improve network assessment

Use Example

Client connected to Array A

Array sees Client at -70 and Array B at -65.
Threshold set to -5
Client disassociated from Array A, should
then reassociate to Array B

2013 XIRRUS :: All Rights Reserved

XIRRUS LAYER 2 ROAMING

Roaming Operation
Decision to roam exclusively controlled at the client. Array/AP features and controls are
available to optimize or restrict client roaming operation

Xirrus L2 Roaming
In almost all case no Layer 2 roaming settings are required or recommended
802.11i defines and controls 100% of PMK sharing and preauthentication
Station pre-auths with other IAPs and Array in the same L2 subnet
This shortens the Radius authentication only conducting the 4 way EAPOL
handshake upon a roam.
Only potential use for this is with WPA clients (non-802.11i)
Xirrus has a proprietary fast Roaming solution for this
However many WPA client do not understand and or accept this and may fail to roam
do to bypassing Radius server connection

Array Configuration Parameters

Configuration is similar to L3 information in following slides

Roaming Discovery Mode Broadcast (wired side) or Tunneled(Base IAP MAC)
Roaming Peers All Arrays (subnet), Within Range (Monitor ), Specific Arrays

2013 XIRRUS :: All Rights Reserved

XIRRUS LAYER 3 ROAMING (MOBILE IP)

Operation
L3 sessions are maintained by establishing SSL tunnels back to the original Array.
L3 roaming incurs extra overhead and may result in additional traffic delays.

Array Configuration Parameters

Requires configuration in SSID/Group , VLAN and IAP Global
SSID/Group Section
Roaming Layer select L2 or L3
VLAN Section
Enable Roaming over specific VLANs
IAP Global Section
Roaming Layer select L2 or L3
Roaming Mode Method to discover other Arrays
Off - No discovery performed (for Roaming purpose)
Broadcast (wired side) Not useful for L3 roaming
Tunneled Requires Arrays IP Address be explicitly identified
Share Roaming Info With how the Array shares roaming information
All Arrays (within Subnet) N/A for L3
Arrays within range - Arrays that hear each other (Monitor recommended)
Target Only Identify specific Arrays (not available for Profiles)(<50 recommended)
2013 XIRRUS :: All Rights Reserved

10

XIRRUS ROAMING CONFIGURATION SCREENS (XMS)

2013 XIRRUS :: All Rights Reserved

11

XIRRUS LAYER 3 ROAMING DIAGRAM

Authentication
Server

Directory
Server

10.100.52.xxx

10.100.67.xxx

Client
10.100.52.101

2013 XIRRUS :: All Rights Reserved

12

XIRRUS LAYER 3 ROAMING DIAGRAM

Authentication
Server

Directory
Server

10.100.52.xxx

10.100.67.xxx

Actual Traffic Flow

Via L3 tunnel

Client Roams Across L3 Boundary

Client
10.100.52.101

2013 XIRRUS :: All Rights Reserved

13

XIRRUS ROAMING OPTIONS

Directory
Server

Authentication
Server

10.100.52.xxx

10.100.67.xxx
L3 Tunnel
PMK exchange
Between
Subnets
(L3 Roaming)

PMK exchange

Same Subnet (L2 Roaming)

PMK Cache

Array1

PMK Cache

Array2

STA

1. Initial Association
Station Keys derived
via 802.1x Auth Server

2013 XIRRUS :: All Rights Reserved

Array3

STA

L2 Roaming

STA 1

MESH / WDS

Same Subnet (L2 Roaming)

PMK Cache

STA 1

L3 Roaming
Between
subnets

2. Keys passed to other Arrays

Prior to station roaming
- Fast roaming -

Array4

STA
STA 1

L3 Roaming

STA1

3. Keys Passed to other Arrays

Via Layer 3 tunnel
Station keeps original IP address

14

STA

PMK Cache

VENDOR INTEROPERABILITY
Open SSID
- Open SSID roaming between wireless vendors should be unimpeded as long as

the backend network is the same L2 network and there is nothing required on the
client other than it making the choice to roam to an infrastructure radio.

WPA2 PSK SSID

- Identical SSID and PSK should operate just like an open SSID. Confirm that

authentication mode and PSK are identical. Some vendors allow mixed WPA
and/or WPA2 SSID configuration. Has been known to cause roaming issues.

WPA2 802.1X SSID

- Per standard a mixed vendor environment using 802.1x/WPA2 should work.

- However If Layer3 roaming and/or separate authentication servers are accessed by

the different vendors solution, problems could result.

Multi-Vendor Deployments Final Thoughts

- Avoid if possible, separate networks if required
- Avoid L3 roaming between vendors - most vendors have proprietary solutions which

makes it difficult, if not impossible to obtain seamless L3 roaming between vendors.

- Always test configuration and operation before moving to a production network
2013 XIRRUS :: All Rights Reserved

15

THANK YOU!
TRAINING@XIRRUS.COM

2013 XIRRUS :: All Rights Reserved

16